[BreachExchange] HIPAA & Medical Data Security for Web Developers

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 2 18:05:12 EDT 2018


https://hackernoon.com/hipaa-medical-data-security-for-web-
developers-c877fcde0716?gi=65dd5bce961a

If your company deals in healthcare and stores information about a person’s
health, there’s a good chance you’ll have to abide by HIPAA. What is HIPAA,
how do you stay in compliance? Let’s look at how HIPAA affects your website.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 protects
patients data. It mandates an industry-wide standard for healthcare
information regarding billing processes, and also “requires protection and
confidential handling of protected health information,” according to the
California Department of Healthcare Services.

The HIPAA Privacy Rule, according to the Department of Health and Human
Services, protects ‘“individually identifiable health information” held or
transmitted by a covered entity or its business associated, in any form or
media, whether electronic, paper, or oral.” In short, if you hold on to any
kind of information related to a patient’s health that could identify them,
it falls under HIPAA protection.

For example, a healthcare marketing agency requires call tracking to be
fully HIPAA-compliant, but can still integrate the call tracking with
Google AdWords and Analytics. Pulling the data for AdWords, Analytics, and
for client reports could, in theory, expose the information of the client,
and thus falls under HIPAA.

Who Needs to be HIPAA Compliant?

Does your app or site need to be HIPAA compliant? Maybe. If it, for
example, allows a patient to record their weight, and then develop an
exercise routine, maintain a daily diet plan and track said plan, or look
up reference information, then it probably does not need to be compliant.

However, if your business is an associate of a healthcare provider, or a
provider has contracted your company to create an app and associated
website, then you must comply with HIPAA privacy laws. The HHS provided a
few other examples of whether your app or website will need to be
compliant, as well.

Non-Compliance Consequences

Consequences for non-compliance can be heavy. As the University of
Cincinnati notes, a category 1 violation, which could not have
realistically been avoided and measures were taken to abide by compliance
rules, results in an up to $50,000 fee with a minimum fine of $100 per
violation. Category 2, where the violation could not be avoided but the
company should have been aware of is the same, but with a fine of at least
$1,000 per violation. Category 3, willful neglect but with an attempt to
correct it comes with a minimum fine of $10,000 per violation, up to
$50,000. Finally, a category 4, willful neglect with no attempt at
correction, results in a minimum fine of $50,000 per violation, up to $1.5
million.

There can also be association jail time, from up to a year for a tier 1
violation such as no knowledge of the violation, to a tier 3 violation of
obtaining personal information with malicious intent carrying up to 10
years in jail.

GDPR

You might also need to comply with the General Data Protection Regulation,
the EU’s new privacy laws. One of the major takeaways is that you will need
to provide a detailed list of all the information your site has collected
or stored on a person. There are, of course, plenty of other rules from the
GDPR concerning how data on your site is stored, backed up, and accessed.
Be sure to check your compliance.

How to Be Secure

How do you protect your company and ensure you are in compliance with
HIPAA? Most of the advice is, in general, good security advice. Duquesne
University lists the following as the top HIPAA violations: Lost or stolen
devices that could be used to store or access confidential data; hacking;
employee dishonesty, such as accessing information they are not authorized
to access; improper disposal of information; third-party disclosure without
determining if the third party is also in compliance; unauthorized release
of patient records; unencrypted data; lack of training; unsecured records;
and word of mouth, such as discussing sensitive information outside of a
confidential setting.

Again, many of these have simple fixes. Your database of information should
be encrypted and secured. Employees with access to patient records should
use complex passwords, and only employees with an absolute need should be
granted authorization to access the data.

On the client end, utilize two-step authentication and e-signatures where
needed to prevent breaches. Changing from HTTP to HTTPS by using an SSL
certificate will protect the transmission of sensitive health data. Ensure
you are using a strong encryption.

If there is a breach, it’s important to follow HIPAA Breach Notification
Rules, notifying affected individuals. If more than 500 individuals are
affected, you must notify the media and the HHS Secretary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180702/0a5d3cf1/attachment.html>


More information about the BreachExchange mailing list